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A Model for 
COMMUNICATING SEQUENTIAL PROCESSES 



C. A, R. Hoare 



Oxford University Computing Laboratory 
Programming Research Group 
kS , Banbury Road 
Oxford. 0X2 6PE 



Summary: A previous paper [5] has suggested that parellel 
composition and communication should be accepted as primitive 
concepts in programming. This paper supports the suggestion 
by giving a simplified mathematical model for processes, using 
traces [6] of the possible interactions between a process and 
i ts envl ronment. 



2. 



1 . Introduction. 



The primary objective of this paper Is to give a simple 
mathematical model for communicating sequential processes. The 
model is illustrated in a wide range of familiar programming 
exercises, including an operating system and a simulation study. 
As the exposition unfolds, the examples begin to look like programs, 
and the notations begin to look like a programming language. 
Thus the design of a language seems to emerge naturally from its 
formal definition, in an intellectually pleasing fashion. 

The model is not intended to deal with certain problems 
of nondeterminism. These have been avoided by observance of 
certain restrictions detailed in the appendix. No attention 
has been paid to problems of efficient implementation; for this, 
even further restrictions should be imposed. 

The long term objective of this study is to provide a basis 
for the proof of correctness of programs expressed as communicating 
sequential processes. However, in this paper the formalities have 
been kept to a minimum and no proofs are given. 



2. Basic Concepts and Notations. 



The ultimate constituent of our model is a symbol , whicf 
may be intuitively understood as denoting a class of event in 
which a process can participate. 

(a) "5p" denotes insertion of a coin into the slot 

of a vending machine VM 

(b) "large" denotes withdrawal from VM of a large 

packet of biscuits.^ 

(c) "up" denotes incrementation of a COUNT register. 



The alphabet of a process is the set of all symbols 
denoting events in which that process can participate. 

(d) {5p, 10p» large, small, Spchange} is the alphabet of 
the vending machine VM. 

(e) {up, down, iszero} is the alphabet of COUNT. 
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A trace is a finite sequence of symbols recording the actual 
or potential behaviour of a process from Its beginning up to some 
moment in time. 

(f) <10p, smal 1, 5pchange> is a trace of a successful initial 
transaction of VM. 

(g) < >(the empty sequence) is a trace of its behaviour before 
its first use. 

(h) <up, down, iszero, down> is not a trace of a COUNT, 
since a zero count cannot be decremented. 



A process P Is defined by the set of all traces of its 
possible behaviour. From the definition of a trace, it follows 
that for any process P, 

(1) <> is in P (i.e. P is non-empty) 

(2) if st (the concatenation of s with t) is in P then 
so is s by Itself (I.e. P is prefix-closed) 

These properties will help to simplify the definition of parallel 
composition of processes. 

The process ABORT is one that never does anything. 

ABORT = {< >} 

The process (c+P) first does "c M and then behaves like the 
process P. 

(c+P) ={< >} u {<os|s is in P} 

where <c> is the sequence consisting solely of c. 

The process P 0 Q. behaves either like the process P or like 
the process Q; the choice will be determined by the environment 
in which it is placed. 

P Q Q - PoQ (normal set union) 

(see technical note (l)) 

The alphabet of a process P will be denoted by P. Usually 
we will assume that the alphabet of a process is given by the set 
of all symbols occurring in its traces. 

ABORT = {} (the empty set) 

c+P = {c} v P 

POQ = PuQ 



We shall frequently use recursive definitions to specify the 
behaviour of long-lasting processes. These recursions are to be 
understood in the same sense as the recursive equations of (say) 
a context-free grammar expressed in BNF. 
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(i) VM = (5p -> (5p * (large ■+ VM Q 5p * ABORT) 
fl sma 1 1 -> VM 

) 

fllOp -*■( small -> (5pchange + VM) 

Q large -> VM 
) ) 



On its first step VM accepts either 5p or 1 0p . 

In the first case, its following step is either the acceptance of a 
second 5p (preparatory to withdrawal of a large packet of biscuits) 
or the immediate withdrawal of a small packet. The second case 
should be self-explanatory. In all cases, after a successful 
transaction, the subsequent behaviour of VM is to of*er a similar 
service to an arbitrary long sequence of later customers. But if 
any customer is so unwise to put three consecutive 5p coins into 
the slot, the machine will break (ABORT)* and never do anything 
else again. 

In conventional BNF grammar, the use of mutual 1 y recursive 
definitions is familiar. To avoid the limitations of context- 
free languages, we shall sometimes give an infinite set of mutually 
recursive- definitions. 

(j) COUNT^ describes the behaviour of a count register with current 
val ue n. For n>0, 

COUNT - (up +C0UNT . Odown+COUNT J 
n n+1 n-1 

whereas the behaviour of a zero count is 

C0UNT Q = (up+COUNTj 0 i szero->COUNT Q ) . 

A zero count cannot be decremented, but it can respond to a test 
"iszero". The use of this test will be illustrated in section 5(g). 



3. Parallel Combination of Processes. 



The traces of a process define all its possible behaviours. 
The actual behaviour of a process P operating in an environment 
E wi 1 1 in general be constrained by this environment. The environment 
E can also be regarded as a process, consisting of all sequences of 
events in which it is capable of participating. Each event that 
actually occurs must be possible at the time of occurrence for both 
the process and for its environment. Consequently, the set of all 
the traces of the process and its environment operating in parallel 
and interacting with each other is simply the intersection of the 
two sets PftE. 
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For example, a customer of a vending machine Is initially 
prepared to accept a large or even a small packet of biscuits, 
if they are available. Alternatively he inserts a coin, without 
noticing its value, and then attempts to withdraw a large packet of 
bi scu i ts. 

CUSTOMER ={<>,< large>, <small> ,<10p>, <5p>, 

< 1 Op, large^., < bp> large >} 

When VM interacts with this customer, the set of possible traces of 
thei r i nteract ion i s 

VM | [CUSTOMER ■ {<>,<10p>,<10p, largo, <5p>> 

Note how VM does not permit the customer to withdraw the biscuits 
before paying. But even more unfortunate is the fate that befalls 
the customer when he has inserted 5p- The the VM Is prepared to 
yield only a small packet of biscuits, whereas the foolish customer 
is trying vainly to extract a large packet. No further events 
are possible; machine and customer are locked forever In deadly 
embrace [1] . 

The description given above assumes that the alphabets of 
the process and its environment are the same, so that every event 
requires simultaneous participation of both of them. In general, 
some of the symbols could be in the alphabet of only one of the 
two processes, and so the corresponding events can occur without 
the participation of the other process. For example, a customer 
may fumble in his pocket, or curse when he is thwarted; a vending 
machine may clink on accepting a coin and clunk on withdrawal of 
bi scui ts. 

CUSTOMERS a {< fumble, 5p, large>, ... 

< fumble, 5p, curse, smal 1 >, ...} 

VMB - {<5p» clink, small, ciunk>...} 

Events which are particular to only one of the interacting 
processes can occur concurrently with events particular to the other 
one. It is convenient to model such concurrency by arbitrary 
interleaving of symbols. Thus the traces of the combined behaviour 
of VMB and CUSTOMERB will include 

{< f umble,5pi cl ink, curse, smal 1 ,clunk>, 
< fumble, 5p, curse, cl ink, small , clunk>,. . .} 
even though the clink and the curse can overlap in real time. 
The reason why interleaving is an acceptable model of concurrency 
is that we are interested only in the logical properties of processes 
and not in thei r timing. 

The process (P||Q) is the process resulting from the operation 
of P and Q in parallel. The curious mixture of synchronisation of 
symbols In both their alphabets with interleaving of the other symbols 
has a surprisingly simple definition. 
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(P||Q) = {s|s€(P«Q)*& is in P & s\"Q is in Qj 

where s^x (s restricted to X) is obtained from 

s by simply omitting all symbols outside X. 

and X* Is the set of...finlte sequences of symbols from X 

Thus each process ignores events of the other process which do 
not require its participation. In the case that the alphabets of 
the two processes are the same, (P| |Q) is just the intersection of the 
sets (PaQ) . In the case where the alphabets are disjoint (P<vQ "{}), 
(P||Q) is the set of all inter leavl ngs of a trace from P with a 
trace from Q. 

A wellknown example on which to test this definition is the 
story of the five dining philosophers. The system as a whole 
consists of two groups of processes: 

DINING ROOM = PHILOSOPHERS | | FORKS 

where PHILOSOPHERS = PHI L | | - . . | | PH I 

and FORKS = FORK | |. . . | | FORK^ 

and PHIL. = (i sitsdown-H picksup fork i+ 

i picksup fork i Q HI putsdown fork 1 + 

i putsdown fork i@1 i getsupr^PH I L. ) 

and FORK = (i picksup fork i + i putsdown fork i +F0RK. 
i 

Hi © 1 picksup fork i ■> i © 1 putsdown fork i +F0RK,) 
where i ® 1 , i 0 1 are taken modulo 5- 

The alphabets of the philosophers are pairwise disjoint. 
This means that (characteristically) they do not interact directly 
with each other: their joint behaviour is an arbitrary merging of 
their individual behaviours. The same is true of the forks. However, 
each event of picking up a fork and putting it down requires simultaneous 
participation of exactly two processes, one philosopher and one fork. 

It is well known that the simple system described above is 
liable to a deadly embrace after: 

<0 si tsdown, . . . , k sitsdown, 

0 picksup fork 0,..., ^ picksup fork 

An ingenious solution to this problem is to introduce a 
BUTLER process into the dining room; his task is to assist each 
philosopher to and from his seat, ensuring as he does so that not 
more than four philosophers are seated at a time. 
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NEWDI Nl NGROOM = DININGROOMj | BUTLER Q 

where BUTLER (for n between 0 and k) describes the behaviour of the 
butler when ?here are n philosophers seated. For example 

BUTLER^ * (0 getsup ^BUTLER^ Q . . . [)4 getsup +BUTLER 2 ) 

The remaining cases will be defined in section 9(b). 

4. Sequential Combination of Processes. 

The process ABORT has been defined as one that never does 
anything, because it is already broken. We now wish to introduce 
another process SKIP, which also does nothing, but for a completely 
different reason: it has already succeeded, and there is nothing 
more for it to do. Successful termination can be regarded as an 
event denoted by a special symbol / (success), and the process that 
just succeeds is: 

SKIP = {< >,</> }. 

(see technical note (2)) 

The use of SKIP can be illustrated by adapting some previous 
examples. 

(a) A vending machine which participates in just one transaction 
(successful or unsuccessful): 

VM1 ■ (5p-*(5p+Oarge+SKI P Q 5p+AB0RT) 

Qsmall+SKIP 

fll Op-*(smal I+(5pchange+SK!P) 

Qlarge+SKIP)) 

(b) A customer, who terminates successfully after a single successful 
transaction: 

CUSTOMERC - (5p-*large+SKIP 

QlOp+large+SKIP 

) 

(c) Their joint behaviour is: 
VM1 | | CUSTOMERC =(5p+AB0RT 

fllOp-Harge+SKIP) 
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Note that when / is in the alphabet of both P and Q, successful 
termination of (P||Q) requires that both of them terminate successfully 
(see technical note (3)) 

The introduction of the concept of successful termination permits 
the definition of sequential composition (P;Q) of processes P and Q. 
This behaves first like P. If P fails, then so does (P;Q)« But if 
P has terminated successful ly, ,.(P;Q) continues by behaving like Q. 
More formal ly , 



(2) 



P;Q= { s | s is in P and s does not contain /} 
u{st|s</> is in P and t is in Q} 

Two simple repetitive statements can be defined 
for l:l..h+P,- SKIP if h<l 

P unti 1 Q = Q^(P; (P until, Q)) 

(d) A vending machine which serves at most three customers: 
VM3 - VM1;VM1;VM1 

(e) And now twenty customers: 
VM20 = for i:1..2tW/Ml 

(f) An automaton which accepts any number of "a"s followed by a 
single "b LL and then the same number of "c"s: 

A n BC n - (b^SKIP 0 a^A n BC n ; (c+SKIP)) 

(g) A process which accepts any interleaving of more "up"s than 
"dowry's; but terminates successfully on first receiving one more 
"down" than "up": 

POS = (down+SKIP D up+P0S;P0S) 

Note: to counteract an initial "up" it is necessary to accept two 
more "down"s than "up"s; this is done by first accepting one more, 
and then by accepting one more again. 

(h) An alternative formulation of (g): 
POS - (up+POS) unti 1 (down+SKIP) 

(i) A process that behaves exactly like COUNT^: 
ZERO » (iszero^ZERO 0up+POS;ZER0) 

(j) An automaton that accepts equal numbers of "a"s, "c"s, and "e"s 
A n BC n DE n = (A n BC n ;(d->SKIP))IIC n DE n 
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where C°DE n will be defined in 5(b). 

The first process ensures that the "c li s match the n a"s, and ignores 
the "e"s. The other process ignores the "rf's, but ensures that the 
H c M s are matched by the "e"s. 

In future we shall often abbreviate 

'■(d+SKIP) 1 ' to just "d M 



5. Alphabet Transformation. 



Let f be a total function which maps the symbols of one alphabet 
Y onto symbols of another alphabet Z, so that: 

f (x) i s in Z for all x in y 

Given a process P with alphabet Y, we can define a process f(P) 
with alphabet Z, which behaves like P, except that it does f(x) 
whenever P would have done x. 

f(P) ={f(s)|s is in P} (see technical note (k)) 

where f(s) is obtained from s by applying f to each of its symbols. 

(a) to represent the sad effect of monetary inflation on a vending 
machine: 

NEWVM =f(VM) 

where f(5p) = 10p, f (smal 1 ) s verysmal 1 , etc. 

(b) a process used in example Mj) 

C n DE n = f(A n BC n ) 

where f(a)= c, f(b)~ d, and fic)- e 

The most frequent use of alphabet change will be to give 
different names to otherwise similar processes. So we introduce 
a set M of special symbols to serve as process names* If x denotes 
an event, and m is a name in M, then the compound symbol "m.x 1 ' denotes 
participation in event x by a process named m. We stipulate that 
events prefixed by distinct process names are distinct: 

m * n impl ies m.x * n.x. 

The prefixing of a name is accomplished by a function 



prefix {x) - rr\.x 
m 



f o r all x. 
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We can now define m:P as a process with name m, which does m.a: whenever 
P would do x: 

m:P 58 prefix (P) 

(c) Two distinct vending machines, operating independently in 
parallel (by interleaving of traces): 

(red:VM| |green:VM) 

In general, the alphabet of a process will contain (in 
addition to events that require participation of its external 
environment) certain other events which represent its internal 
workings. These internal events are intended to occur automatically, 
without participation or even knowledge of the environment. To 
model the concealment of such events, we wish to remove the corresponding 
symbols from the alphabet of the process, and from every trace of 
its behaviour. Let X be the set of symbols to be concealed; the 
result of the concealment is defined: 

P\X ={sh(P-X)| s is in P> (see technical note (5)) 

where FVX - P-X (set subtraction) 

(d) A soundproofed version of VMB (section 3) 

VMBUclink, clunk} 

When a process has been defined by parallel composition of 
two or more processes, the mutual interactions of the component 
processes are often of no concern to their common environment. 
These interactions are just the events named by symbols occurring 
in the alphabets of more than one of the components. We represent 
the concealment of these events by enclosure in square brackets: 

[P I I Q] = (P||d)\(PnQ) 
This definition generalises to more than two components: 

[ R 1 I I P 2 I i - - - I I P nJ = ( P il! P 2 M'--M P n) XX 
where X = ^(^n r\) 

(e) A USER process uses a COUNT register named m, interacting 
with it by events 

{m.iszero, m.up, m.down} 

These interactions are to be concealed, thereby ensuring that the 
register serves as a local variable for the benefit of only the 
single user: 



[m: COUNT J j USER] 
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(f) Similar to (e) , but with two registers: 

[n: COUNT ^ | |m: COUNT^j | USER] 

(g) Inside the USER process, the following subprocess will add the 
current value of n to m, leaving the value of n unchanged: 

ADDNTOM = (n. iszero - SKIP 

0 n. down + m. up; 

ADDNTOM; 

n. up 



Another use for concealment is to remove / from the alphabet 
of a process that is not intended to terminate. For example, 
if P is a normally terminating process, *P is a process which 
repeats P for as long as is required by the environment within 
which it runs: 

*P ■ (P;(*P))\{/> 



(h) A familiar example: 



6. Input and Output. 



The model developed in the previous sections is sufficiently 
general to apply to any kind of event. In the following sections 
we shall be concerned primarily with communication events, involving 
output of information by one process and input of information by 
another. For these events we introduce particular notations. If t 
is a value of type T, then 

It denotes output of a message with value t 
?t denotes input of a message with value t. 

(a) A process which behaves as a Boolean variable. At any time, it 
is ready to input its next value or to output the value which it 
has most recently input (if anv) . 
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BOOL = (?true + TRUEBOOL Q ?fal se + FALSEBOOL) 
TRUEBOOL = (?true + TRUEBOOL tt7fal se FALSEBOOL 

Itrue TRUEBOOL) 
and FALSEBOOL is similiar. 



When a process performs input of some value x, its subsequent 
behaviour will usually depend on the value which it has just 
input. Although the type T of x may be known, the identity of 
the value which is actually going to be input Is usually not known; 
the process must be prepared to do 7t (input of t) for any t inT; 
the selection will be made by its environment. To achieve this we 
introduce a form of Input command: 

(?:c:T + P )«= {<>} U {<?t>s|for t In T and s in Pj 
x 



(b) A process which just copies what it inputs: 
C0PY T - *(?x:T •> la) 

This process serves as a one-place buffer. 



(c) Similar to (b), except that consecutive pairs of "*" are replaced 
by 

SQUASH = *(?x: CHAR * 

if_ x then \x 

else ( ?y : CHAR •* j_f y = "*" then i "+" 
else ! "*" ; ! y )) 



(d) A process which behaves as a variable of type T: 

VAR_ = (?x: T ■* VAR ) 
T X 

where VAR = (\x ■* VAR Q (?i/:T -*■ VAR ) ) 
x x y 

VAR is the behaviour of a variable with value x. 

x 

Clearly, BOOL « VARr - t v x 

' Ifal se,true) 



(e) A process which inputs cards, and outputs their contents one 
character at a time, Interposing an extra space after each card; 
UNPACK = *(?c:CARD + 

(forfi: 1..80 !c,); ! n ") 

where CARD « array 1..80 of r HAR. 
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(f) A process which inputs characters one at a time and assembles 
them into lines of 125 characters, which are then output 



PACK = PACK o 



where PACK, = I1;PACK 0 if length 0) = 125 

= (?c: CHAR + PACK l5£c> j otherwise 



(g) A queue QUEUE^ at any time is prepared to input a new element of 
type T, or to output the element which was input the earliest (If 
any) : 

QUEUE T = BUFF <> 

where BUFF = (?x:T + BUFF . J 
and for s * <>, 

BUFF = (7x:T + BUFF „ v 
s s<x> 

Dl first(s) + BUFF rMt(f) ) 

(h) A stack is similar to queue, except that it outputs the element 
which was input the latest; it also can give an indication when it 
is empty: 

STACK y = *(» isempty + SKIP 

D?x:T + SJK ) 

x 

where STK^ = (? y: T + STK until \x + SKIP) 



7. Communication. 



Suppose that we wish two processes P and Q, to operate in 
parallel in such a way that every message output by P i s input 
directly by.U. The resulting compound process is denoted (P»Q) . 
The synchronisation involved in direct communication requires that 
each output !t in P be regarded as the same event as an input ?t 
in Q. Such events are to be concealed from their common environment. 

The required effect is achieved by transforming of the alphabets 
of P and Q, prior to their composition. Thus we define 

P»Q « [strip! (P) 1 1 strfp?(Q)] 

where strip! (It) = t, strip 1 . (?t) s ?t 



and strip?(!t) = !t, strip?(?t) - t 
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Note that all output from the outside environment is input by P, and 
all output by Q, is input by the environment. 

(a) Text is to be input from 8Q-co1umn cards and output in lines 
of 125 characters each. 

LISTING = UNPACK»PACK 

(b) Similar to the above, except that consecutive "* n s are to be 
replaced by "f" 

CONWAYS EXAMPLE = UNPACK»SQUASH»PACK 



(c) Similar to (a) except that communication is desynchroni sed 
by interposing an unbounded buffer 

UNPACK»aUEUE CHAR »PACK 

This example shows that no generality is lost by taking 
synchronised communication as primitive. 

(d) Similar to (c) except with only double buffering 

UNPACK»COPY r , UAn »COPY / , UAO »PACK 



(e) An alternative definition of QUEUE^ (6(g)). 
QUEUE T = (7*:T + (QUEUE T »( ! ar; C0PY T ) ) 



8. Named source and destination. 



The >> combinator allows construction of chains of anonymous 
communicating processes, each taking input from its predecessor and 
sending output to its successor in the" chain. For other more 
elaborate patterns of communication we shall use named processes, 
and allow each input or output to quote the name of its source or 
destination: 

mlt denotes output of message t to process named m 
m7t denotes input of message t from process named m. 

(a) to update and test a boolean variable named b: 

USERB = ( ... b! true . . . (b?true ... Qb?fa] se ...)...) 

We also need to input arbitrary values from a named source: 

(mlx:J P ) = {<>} U (<m?t>s|t is In T and s is in P ) 
x 1 t 



(b) to update an integer variable named m 
USERM = (... m!7 ... (m?x: INT ml (x+3) ) . . . ) 
This has the effect: ... m:-7 ... m :=m+3 . 

Henceforth we shall use these conventional notations for updating 
variables. 

(c) a subroutine which repeatedly inputs a floating point argument 
and outputs its tangent as result: 

TAN = *(?x:FP + sinix; cos\x; 

(sin?z/:FP + (cos?z:FP + \ {yfz)))) 

In order to establish synchronised communication between a 
named process m:P and an unnamed process Q, we need to ensure that 
each m!t in Q. denotes the same event as ?t in P, and each 

m?t in Q, denotes the same event as It in Q. This is conveniently 
achieved by adapting the definition of prefix^ when applied to input 
and output events, thus: 

prefix m (?t) = mlt and prefix m (!t) = m?t. 

In future we shall assume that this adapted definition of prefix is 
used in process naming. 

(d) to declare a local boolean variable for USERB: 

[b:B00L| jUSERB] 

(e) similarly for USERM: 

[m:VAR |NT | |USERM] 

(f) a subroutine which calls two local subroutines to assist in 
its calculations: 

TANGENT = [ s i n : S I N | | cos : COS | | TAN] 

(g) A subrout i ne wh i ch computes a factorial by recursion. As before, 
the argument and result are communicated by input and output. 



FAC * ( Tx : NN - rf x ■ 0 then 1 1 
else [f: FAC | | 

f!(ar1); (flyMU * \(xxy))]) 
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Each activation, if necessary, creates another activation to compute 
the recursive cal 1 . 

(h) A similar technique can be used to define a recursive data 
structure* for example, a set which inputs its members, and answers 
"!yes M if the value input was already a member and ,f !no u otherwise. 
Each activation stores one number x, and uses a recursive activation 
to store the rest of the set. 

SET T = (?x:T + !no; 

[rest:SET T | | 

(?J/:T -* if y = x t hen !yes 
el se rest! y\ (rest?yes -* lyes 
ft rest?no + !no 

) 

)]) 



The previous examples show communication between a single named 
(slave) process and a single unnamed (master) process. In more general 
communication networks, it is necessary to allow one named process to 
communicate with another named process. As before, this is accompli she 
by equating the event mlt in a process named n with the event n?t in a 

process named m. Again, the definition of prefix^ is adapted for this 
purpose: 

prefix m (n?t) = prefix^dnlt) - n.mlt. 

(i) A network for multiplication of a matrix by a vector. Processes 
C0L1» C0L2, C0L3 output the columns of^a matrix IN. 

Values Vj, v^, v^ form a vector by which the matrix is to be multiplied 
The resulting column is to be output to a DISPLAY process. 

Since it is desirable to input three numbers at a time, and 
multiply three numbers at a time, a network of processes is required. 
They are pictured in figure 1, where each communication channel is 
annotated by the typical value that passes along it. 

The algorithm is defined 

[m o :M o | |m 1 :M 1 | | m 2 : M 2 | | m 3 : M 3 | [ny D I SPLAY] 

where M q - Mnij!0) (a source of zeroes) 

and for tk i <3 

M . = *(m. .?sum:FP ■> 
i — i-l 

col.?x:FP + m. ^ ! (xxv.+sum) ) 
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9. Sharing. 



Let X be a finite or infinite set, and let P be a process for each 
x in X. 



[| \x:X]P = ABORT if X vs empty 



x 

= P U ||P V H ... if X is{u,v, ..} 

(see technical note (6)) 

[Bx:X]P = ABORT if X is empty 

x 

P u 0 P y Q ... i f X is {u,v, . . . } 



We define ANY as the set of al 1 process names, 
and any (r) = {r.| i is an integer}. 



(a) PHILOSOPHERS = [] | i :0..k] PHIL. 

BUTLE 

DI1TI CD 

n-l) 



(b) BUTLER - [Q i:1..5](i sitsdown -> BUTLER 
n H i getsup + BUTLER " 



(c) An exclusion semaphore: 

MUTEX = x:ANY]o:?acquire + a;?release) 

It must be released by the same process which acquired it 

(d) An array of three exclusion semaphores, protecting three identical 
resources: 

[| | i : 1 . .3] r ( :MUTEX 

A user can acquire and release any one of the available resources by 
([ Dmine:any (r) ]mine!acqui re + ...use the resource...; mi nei re lease) 



(e) A hardware line printer with name h i s to be shared for the 
output of complete files 

LP h = M[lU:ANY]x?acquire -> 

(fl?71:LINE + hfl until xlre\ease SKIP)) 



Each iteration of the major loop first "acquires 11 an arbitrary user x, 
and then copies lines from x to . until receiving a "release" signal. 
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9. Sharing. 



Let X be a finite or infinite set, and let P be a process for each 
x in X. 



[||ar:X]P * ABORT if X rs empty 



x 

* P IIP j| ... if X is{u,v, ..} 

U V 

(see technical note (6)) 

[Ox:X]P = ABORT if X is empty 

x 

P y B ... i f X is {u,v, . . . }. 



We define ANY as the set of a I 1 process names, 
and any (r) = {r.j i is an integer}. 



(a) PHILOSOPHERS = [j | i :0..*»] PHIL. 

-> BUTLE 

DIITI CD 

n-1) 



(b) BUTLER = CO i 1 1 - - 53 ( i sitsdown-* BUTLER 
n D i getsup -+ BUTLER _ 



(c) An exclusion semaphore: 

MUTEX = *([Q j;:ANY]x?acquire + x?release) 
It must be released by the same process which acquired it 

(d) An array of three exclusion semaphores, protecting three identical 
resources: 

[||i:1..3]r.:MUTEX 

A user can acquire and release any one of the available resources by 
([ Dmine:any(r)]mine!acqui re •+ ...use the resource...; mi net release) 

(e) A hardware line printer with name h i s to be shared for the 
output of complete files 

LP h * *([ttx:ANY]a;?acquire -> 

(a??l:LINE + h!l until #? re lease-* SKIP)) 



Each iteration of the major loop first "acquires" an arbitrary user a:, 
and then copies lines from x to . until receiving a "release" signal. 
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(f) This improved definition of LP h ensures that each user's file is 
separated from the next by a "! throw" to the next even page boundary, 
and two rows of 'Master i sks". 

LP, = (h! throw ; hiasterisks ; 
h 

*( [ 0 x: ANY]x?acqui re -* h!aster i sks; 

(x?l :L!NE + _Tf ^asterisks then h! 1 else SKIP 
unt i 1 x?release) ; hi throw; hlasteri sks) 

(g) A shared variable of type T. 
SHAf^ = ([Ux:ANY]x7y:T * SH y ) 
where SH y = ([Ux:ANY]xly + SH y 

fl[Dx:ANY]x?z:T ■> SH ) 

This example shows that a communication-based theory of parallelism 
is not in principle different from one based on shared variables. 

In the previous examples, when many processes attempt simultaneously 
to acquire a shared resource, all but one will have to wait; and when 
the resource is released, it is not determined in what sequence they 
will eventually acquire the resource. If it is important to control 
the sequence of acquisition, we need a more complicated scheduler which 
will separate the request and the granting of the resource as distinct 
events. 



(h) A "firstcome first served" scheduler, sharing a group of N 
resources. A QUEUE is needed to store the names of waiting users. 

FCFS N = [q:QUEUE ANY ||free:VAR |NT || 

free: = N; 

*([ Ux: ANY]x?request ;free == free-1; 

i f free <0 then i\\x else xlgranted 
\1 [ 0 x:ANY]x?release -> free : = free+1; 

j_f free <0 then q?j/:ANY -* y\ granted) 

)] 

Conventional notations have btfen used for updating variables. 
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10. A mult I programmed batch processing system. 

A mult iprog rammed batch processing system inputs jobs from any 
of C cardreaders, executes them on any of P processors, and outputs 
the results on any of L line printers. An account is kept of the cost 
of each job, and this is printed out at the end. If the cost exceeds 
a certain limit, the job is truncated. 

The overall structure of the system is 

MBPS = [CARDREADERS | | L I NEPRI NTERS | [PROCESSORS] 

where CARDREADERS = [ | | i : 1 . . C] cr . :CR . 

! CI 

and LINEPRINTERS = [ | | i : 1 . . L] 1p. : LPj. 
and PROCESSORS - [ | | i : 1 . . P] pr . : PROC . 

Each processor executes a stream of jobs submitted by users: 

PROC = *S I NGLEJOB 

The process SI NGLEJOB executes a single user's job; taking input from 
any free reader and channeling output to any free printers: 

SI NGLEJOB = 

[cost:VAR NN ||c:VAR CAR[) || 

([ Q in:any(cr)] inlacqui re -* 

[fl out:any(lp)]out! acqui re + 

cost: * 0;RUN; 

inlrelease; 

out!account (cost) ; out! release 

)] 

The process RUN needs an auxiliary process USER (not shown here) 
which actually executes the user's job. This USER is assumed to be 
initialised to some standard compiler or control language interpreter. 
It interposes a regular "Itimesl ice 11 signal after every million instructions 
executed; and sends a "i f ini shed" signal when the user program is finished 
( i f ever) . 
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RUN « [pr:USER| |LOOP] 

where LOOP = cost: = cost + 1; 

if cost>costlimit then SKIP 
else (pr?l:LINE -►. out! I ; LOOP 

Upr!c + ( in?x: CARD + dx);L00P 
\ipr?timesl ice + LOOP 
\Jpr?f inished + SKIP 

) 

In practice, the interface between USER and LOOP will be implemented 
by hardware protection mechanisms and by supervisor calls and exits. 

In order to prevent interference between successive jobs submitted 
in a batch, the cards of each job are separated from the next job by an 
"endcard 11 , which is used for no other purpose. The task of CR is to 
ensure that the cards for each job are consumed right up to the endcard 
but not beyond it. 

CR, = *([Bx:ANY]a?7acquire + (h?c:CARD + FILE )) 
n c 

where FILE^ ■ (x!c -*■ j_f c = endcard then F I LE c 

else(h?c:CARD + FILE ) 
c 

Qa;?release SCAN ) 

c 

where SCAN = if c s endcard then SKIP 



else (h?c: CARD - ^SCAN ) 

: c 

If the user attempts to read beyond the endcard, he just gets further 
copies of the endcard. 



We now specify an array of processes which perform pseudo-offline 
output of files. Each process uses a file (acquired from a filing 
system) to hold the user's output, and acquires a real line printer only 
when the user's output is complete. 



21 . 



SPOOLDLPS = [| | i :NN]slp. : SLP 
where SLP = [ Q x : ANY]x?acqu i re ■> 

[ Q f :any(f i le)]f lacqui re + 

(x?l:LINE + f!J untjj a:?re1ease); 

f i rewind; 

( [ 0 out:any( lp)]out!acqui re -> 

(f?1:LINE -> outll unti 1 f ?eof ) ; 
out 1 , release) 



SLP acts like a "process" in a language like MODULA; a new "instance" 
comes into existence as a result of each "call" of the form: 

([flout;any(slp)]out!acqui re + ... outirelease) 



11. Discrete event simulation. 



In designing a program to simulate a fragment of the real world, 
it is necessary also to simulate the passage of real time. Any process 
of the program may need to enquire the current value of simulated time, 
by inputting it from a "timer" process: 

(timer?t:TIME •+ ...t is time now...). 

Furthermore, a process may need to delay itself until simulated time 
reaches some predetermined value, say 8 oclock. This is done by 
outputting the requi red n alarm setting^to the timer process: 

t imer! 8oclock. 

This is an event which is guaranteed to occur only at 8 oclock (in 
simulated time). Thus, to delay itself for d units of simulated time, 
a process can perform the actions: 

HOLD (d) - (timer?t:TIME + timer! (t+d)) 



The timer process is always prepared to output the current value 
of simulated time. It is also prepared to input a value, provided that 
this Is equal to the current value of simulated time. Finally, if all 
activity of the user processes has terminated, the simulated time clock 
is stepped on to its next value. TIM t describes the behaviour of the 
timer at simulated time t. 
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TIM = ([0 a::ANY]x!t + TIM t 
Q [flx:ANY]x?t + TIM t 
D otherwise -TIM next(t) 

) 

where "otherwise" is an event which is intended to occur only when 
nothing else can occur. 

It remains to give a rigorous definition of the definition of 
such an event. If P is a process, we define rescue e (P) as: 

rescue (P) ■ {e} 

where Q = {sjsisinP and 

and if t<e> is an initial substring of s 

and if t<x> is in P f then x= e} 

Now if the USERS are a group of processes to be executed in simulated 
t ime 

simulate (USERS) - 

rescue timer. otherwise (t imerrTIMj (USERS) . 

(a) Let HAIHb be a set or names or unidirectional paths in a network. 
For each path p in PATHS: 

length (p) is the time taken to traverse the path. 

succ(p) is the set of paths leading from the destination of p. 

SPARK is a process representing a single traversal of path p; it is 
^ triggered by a "start 11 signal from one of its predecessors, and 
after traversing the path, it propagates a start signal to all 
i ts successors. 

SPARK p = ([ tls:PATHS]s?start •* 

H0L0(length(t)) ; 

([| |d:succ(p)]d!start + ABORT) 

)- 
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(b) A special path "dest" is singled out as the Intended destination 
of a journey. It triggers the start point of the journey, and then 
waits for the first spark to propagate back to itself. It then outputs 
the time and terminates successfully: 

DEST = source! start; 

([Us: PATHS ]s?start 

(timer?t:TlME -> ! t) 

) 



(c) To output the length of the shortest route in the network between 
the source and the destination: 

simulate ([||p: (PATHS - {dest})] p: SPARK p 

| | dest: DEST) 



(d) A machine shop possesses ten groups of machines. Each group contains 
seven machines, which are scheduled by a foreman using a "first-come - 
first-served" discipline. The shop has to process a set of orders 
identified by names in X. Each order in turn uses a reader to input 
i ts parameters: 



startt ime: 
numberof steps 
and for each step: 
machinegroup: 
se rv i cet ime: 



at which it enters the shop, 
required to fulfil the order. 

of machine needed for this step 
for this step. 



An exclusion semaphore is required for proper sharing of the reader. 
Output of results has been ignored. 

MACH I NESHOP = 

simulate ([rdr:MUTEX 

| | [ | | i : 1 . . 1 0] f o reman . : FCFS^ 

| | [| |x:X]tf:ORDER 

]) 



Each order must read in its parameters before starting 
to progress in the simulation proper. AH orders initially 
compete to use the reader for this purpose. It does not 
matter in what sequence they actually acquire it. 

ORDER = [starttime: VAR J [nymberof steps:VAR NN | | 

rdr!acquire; (reader?n:NN + starttime := n) ; 

(reader?n:NN + number of steps n) ; 

[[| | i :1 . .numberofsteps]machinegroup| : VAR^ 

i : 1 . .numberofsteps]servicetime. : VAR NN 

for i: 1 . .numberofsteps ■> 

(reader?n:NN -> machinegroupj := n) ; 

(reader?n:NN + servi cetime. : = n)); 

rdr! release; PROGRESS 



The first action of each order is to wait until its 
starttime is due. It then progresses through each step, 
acquiring its machine from a foreman, and holding it for 
the required service time. 



PROGRESS = 

(startt ime?m: NN + timerln); 

( for i: 1 numberofsteps 

(machinegroup. ?mg: NN •+ 

foreman i request ; foreman ?g ranted; 
mg mg 



(servicetime.?n:NN + HOLD (n) ) 

foreman 1 re lease 
mg 



) 
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Technical Notes. 



To avoid the introduction of non-determinism, we have observed the 
following restrictions: 

(1) define P° as the set of symbols denoting events in which P can 
participate on its first step: 

P° = {x\ <X> € P} 

We use P0Q. only when P°<\ Q° ={}, so that the decision between P and 
Q can be made on the first step. 



(2) The event of / occurs only at the end of a trace; and when it does 
occur, it is the only event that can occur: 

for all traces s , 

if s/ is in P, and st is in P then t =</> 

This ensures that successful termination of a process is always 
deterministic. 



(3) If / is in the alphabet P but not Q the P| |Q is al lowed only if 
the alphabet of Q is wholly contained in the alphabet of P. This 
ensures that successful termination of P automatically cuts short any 
further activity of Q. 

[k) An alphabet transformation is always a one-one function. 

(5) For s in P, P(s) describes the future behaviour of P when s is 
the trace of its past behaviour: 

P(s) = { t| st is in P} 

We define s\ X as sV(P-X). We insist that after concealment of X, the 
future behaviour of a process is still uniquely determined by the still 
visible symbols of its past behaviour. 

For al 1 s and t in P: 

if s\X = t\X then P(s)\X - P(t)\X 



(6) An infinite array of parallel processes must not communicate with 
each other (their alphabets must be disjoint). This ensures that the 
infinite parallelism can be defined as the limit of the parallel 
combination of all finite subsets. 
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